COA feature not working on Aruba Master - Local Aruba controllers.

We are integrating CPPM with Aruba customer and running one master controller and two local controllers in campus. We configured the CPPM as Radius authentication, accounting and RFC-3576 server for MAC and Captive Portal authentication. Everything works fine except a CoA issue when we tried to disconnect an authenticated user from Aruba controllers.

From Monitoring>Active Tracker, I found the master IP address(192.168.4.2) is recorded as Access Device IP although the actual Radius Client is Local controller(192.168.4.6) which is connection: Src-IP-Address. So when I click “Change Status” and send Aruba Termination out, and type “show aaa rfc-3576 status” on controller CLI, I was surprised to see that the Disconnect CoA was sent to master controller rather than Local controller. Then I tried to change configuration of radius server with NAS-IP of 192.168.4.6 in master controller and synchronizing it to local controllers, the CoA request can be sent to local controller correctly.

So it seems CPPM always send CoA to NAS-IP address rather than Connection: Src-IP-Address.

Answer:

COA is ALWAYS sent to the NAS-IP-Address and not to the Src-IP-Address (This is by design) as shown in the access tracker logs below.

To fix this we will have to add an over ride to all the local controllers in the question.

(ArubaController) #configure terminalEnter Configuration commands, one per line. End with CNTL/Z

(ArubaController) (config) #ip radius nas-ip x.x.x.x

where x.x.x.x is the IP of your local controller which is shown above in the access tracer log.

The above configuration applies globally all the radius servers. To make this change on specific servers, please execute the below commands.

(ArubaController) #configure terminal Enter Configuration commands, one per line. End with CNTL/Z